https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516106#M144971 <P>The events look like very much structured and values are delimited with pipe symbol.</P><P>you can use IFX(Interactive Field Extraction) to extract them very nicely.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/ExtractfieldsinteractivelywithIFX" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/ExtractfieldsinteractivelywithIFX</A></P> Tue, 25 Aug 2020 18:06:20 GMT thambisetty 2020-08-25T18:06:20Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516082#M144954 <P>Hello,&nbsp;</P><P>My first post!!!</P><P>I have a bunch of results that show up when searched. One of the example is&nbsp;</P><P><FONT>Aug 5 19:08:12 ServerName Aug 5, 2020 19:08:12 GMT|50000|APP|UNKNOWN|XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX|443|XXXXX|-|/<STRONG>someprocess.php</STRONG>|-|A message posted successfully|500&nbsp;</FONT></P><P><FONT>Aug 5 19:08:10 ServerName Aug 5, 2020 19:08:10 GMT|50000|APP|UNKNOWN|XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX|443|XXXXX|-|/<STRONG>newprocess.php</STRONG>|-|A message posted successfully|200 </FONT></P><P><FONT>I want to do a stats count by the .php processes. So, how do i add these or eval/stats these .php processes / scripts ?&nbsp;</FONT></P> Tue, 25 Aug 2020 16:52:36 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516082#M144954 avsplunkuser007 2020-08-25T16:52:36Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516092#M144958 <P>It looks like the script name is the 11th field assuming "|" is the delimiter so something like this might work</P><LI-CODE lang="markup">... base search ... | eval logmessage=_raw | makemv delim="|" logmessage | eval script=mvindex(logmessage,10) | stats count by script</LI-CODE><P>Indexes start at zero so index 10 for the 11th field&nbsp;</P> Tue, 25 Aug 2020 17:40:17 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516092#M144958 ITWhisperer 2020-08-25T17:40:17Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516098#M144964 <P>Welcome!</P><P>To do stats on the field you first need to extract it.&nbsp; The <FONT face="courier new,courier">rex</FONT> command does that.</P><LI-CODE lang="markup">index=foo | rex "\/(?&lt;file&gt;\w+\.\w+)" | stats count by file</LI-CODE><P>&nbsp;</P> Tue, 25 Aug 2020 17:47:42 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516098#M144964 richgalloway 2020-08-25T17:47:42Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516106#M144971 <P>The events look like very much structured and values are delimited with pipe symbol.</P><P>you can use IFX(Interactive Field Extraction) to extract them very nicely.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/ExtractfieldsinteractivelywithIFX" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/ExtractfieldsinteractivelywithIFX</A></P> Tue, 25 Aug 2020 18:06:20 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516106#M144971 thambisetty 2020-08-25T18:06:20Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516156#M145023 <P>And adding more Splunk features here, you could do this with props.conf and transforms.conf on search heads on search time ,-)</P><P>All these suggestions&nbsp; will work, it's your chose to select which own is best for your current needs.</P><P>r. Ismo</P> Tue, 25 Aug 2020 21:46:52 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516156#M145023 isoutamo 2020-08-25T21:46:52Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516163#M145026 <P>Welcome to Splunk Answers! avesplunkuser007 We have some awesome contributors who help out users actively. Feel free to message me if you have any questions or concerns.</P> Wed, 26 Aug 2020 00:03:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-regex/m-p/516163#M145026 Anam 2020-08-26T00:03:13Z